net, atm: convert eg_cache_entry.use from atomic_t to refcount_t
authorReshetova, Elena <elena.reshetova@intel.com>
Tue, 4 Jul 2017 12:53:04 +0000 (15:53 +0300)
committerDavid S. Miller <davem@davemloft.net>
Tue, 4 Jul 2017 21:35:16 +0000 (22:35 +0100)
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/atm/mpoa_caches.c
net/atm/mpoa_caches.h

index 05e89e9930d572277c6a867c878d01011f878602..4ccaa16b1eb10fcaad0e409f397b0187e2411e78 100644 (file)
@@ -339,7 +339,7 @@ static eg_cache_entry *eg_cache_get_by_cache_id(__be32 cache_id,
        entry = mpc->eg_cache;
        while (entry != NULL) {
                if (entry->ctrl_info.cache_id == cache_id) {
-                       atomic_inc(&entry->use);
+                       refcount_inc(&entry->use);
                        read_unlock_irq(&mpc->egress_lock);
                        return entry;
                }
@@ -360,7 +360,7 @@ static eg_cache_entry *eg_cache_get_by_tag(__be32 tag, struct mpoa_client *mpc)
        entry = mpc->eg_cache;
        while (entry != NULL) {
                if (entry->ctrl_info.tag == tag) {
-                       atomic_inc(&entry->use);
+                       refcount_inc(&entry->use);
                        read_unlock_irqrestore(&mpc->egress_lock, flags);
                        return entry;
                }
@@ -382,7 +382,7 @@ static eg_cache_entry *eg_cache_get_by_vcc(struct atm_vcc *vcc,
        entry = mpc->eg_cache;
        while (entry != NULL) {
                if (entry->shortcut == vcc) {
-                       atomic_inc(&entry->use);
+                       refcount_inc(&entry->use);
                        read_unlock_irqrestore(&mpc->egress_lock, flags);
                        return entry;
                }
@@ -402,7 +402,7 @@ static eg_cache_entry *eg_cache_get_by_src_ip(__be32 ipaddr,
        entry = mpc->eg_cache;
        while (entry != NULL) {
                if (entry->latest_ip_addr == ipaddr) {
-                       atomic_inc(&entry->use);
+                       refcount_inc(&entry->use);
                        read_unlock_irq(&mpc->egress_lock);
                        return entry;
                }
@@ -415,7 +415,7 @@ static eg_cache_entry *eg_cache_get_by_src_ip(__be32 ipaddr,
 
 static void eg_cache_put(eg_cache_entry *entry)
 {
-       if (atomic_dec_and_test(&entry->use)) {
+       if (refcount_dec_and_test(&entry->use)) {
                memset(entry, 0, sizeof(eg_cache_entry));
                kfree(entry);
        }
@@ -468,7 +468,7 @@ static eg_cache_entry *eg_cache_add_entry(struct k_message *msg,
        dprintk("adding an egress entry, ip = %pI4, this should be our IP\n",
                &msg->content.eg_info.eg_dst_ip);
 
-       atomic_set(&entry->use, 1);
+       refcount_set(&entry->use, 1);
        dprintk("new_eg_cache_entry: about to lock\n");
        write_lock_irq(&client->egress_lock);
        entry->next = client->eg_cache;
@@ -484,7 +484,7 @@ static eg_cache_entry *eg_cache_add_entry(struct k_message *msg,
        dprintk("new_eg_cache_entry cache_id %u\n",
                ntohl(entry->ctrl_info.cache_id));
        dprintk("mps_ip = %pI4\n", &entry->ctrl_info.mps_ip);
-       atomic_inc(&entry->use);
+       refcount_inc(&entry->use);
 
        write_unlock_irq(&client->egress_lock);
        dprintk("new_eg_cache_entry: unlocked\n");
index 38a4e7e67c0b70ecd3f0f962d551c5099998e6a7..30fe34841cedde62d7093b72670026df7c9cb22a 100644 (file)
@@ -59,7 +59,7 @@ typedef struct eg_cache_entry{
        uint16_t             entry_state;
        __be32             latest_ip_addr;    /* The src IP address of the last packet */
        struct eg_ctrl_info  ctrl_info;
-       atomic_t             use;
+       refcount_t             use;
 } eg_cache_entry;
 
 struct eg_cache_ops{